1. Field of the Invention:
The present invention relates to the field of key management schemes, and more particularly, the present invention relates to a key management scheme for Internet working protocols to provide additional security at the network layer.
2. Art Background:
The Internet comprises a spiderweb of connected networks which criss-cross the globe and permit users to send and receive data packets between computers. Although many of the computers coupled to the Internet are disposed at fixed locations, portable computer systems may be physically moved from one location on a network to another. Wireless links coupling the computers to the Internet, including direct satellite links, also allow users to access the Internet from remote areas. As a result of the dramatic increase in the use of the Internet throughout the word, concerns regarding network security naturally arise.
A variety of schemes have been proposed to increase security on the Internet, and a number of these schemes have been adopted. For example, encryption and authentication procedures known as Privacy Enhanced Mail (PEM) provide for enhanced privacy in electronic mail ("e-mail") services over the Internet. Additionally, schemes for utilizing PEM for secure remote user authentication have also been proposed. (See, for example, copending U.S. patent application Ser. No. 08/253,802, filed Jun. 3, 1994, entitled "METHOD AND APPARATUS FOR SECURE REMOTE USER AUTHENTICATION IN A PUBLIC NETWORK", assigned to the Assignee of this patent application, Sun Microsystems, Inc., and hereby incorporated fully by reference.)
However, even if a remote user has been authenticated, there still exists the possibility that an intruder (herein referred to as a "cracker") may mount an active attack to interject himself in data transfers across the Internet. Although a user may incorporate a scheme for secure remote user authentication prior to login, a cracker may sever one of the authenticated parties from the Internet connection, and receive and transmit substitute data packets to the other unwitting party (or potentially to both parties). Once the Internet connection is established, data packets are sent over the network in the clear. For example, a cracker may interject himself between, for example, a user "A" in communication with a user "B" on the Internet, and issue a disconnect command to user A. Upon receipt of the disconnect command from the cracker, user A believes that user B has severed the connection. The cracker may then take over the communication established with user B, such that user B does not know that user A is not sending him data packets. Thus, a number of security issues exist when sending data over the Internet, including a cracker's ability to monitor data packets in the clear and to interject himself in the communication line such that he may receive and send data packets to unwitting users. It is, therefore, advantageous to put authenticity and privacy features at the network layer on the Internet. However, the majority of the privacy and authentication protocols which have been proposed provide session oriented key management schemes. Unfortunately, many of the commonly used network layer protocols are session-less datagram oriented protocols.
In the Applicant's co-pending parent U.S. patent applications of which this U.S. patent is a continuation-in-part, a simple key management scheme (referred to as "SKIP") was disclosed for use in session-less datagram protocols. In the SKIP scheme, a first data processing device (node I) is coupled to a private network which is in turn coupled to the Internet. A second data processing device (node J) is coupled to the same, or to a different network, which is also coupled to the Internet, such that node I communicates to node J using the Internet protocol ("IP"). Node I is provided with a secret value i, and a public value .alpha..sup.i mod p. Node J is provided with a secret value j, and a public value .alpha..sup.j mod p. Data packets (referred to as "datagrams") are encrypted using the teachings of the present invention to enhance network security. A source node I obtains a Diffie-Helman (DH) certificate for node J (either from a local cache, from a directory service, or directly from node J), and obtains node J's public value .alpha..sup.j mod p from the DH certificate. Node I then computes the value of .alpha..sup.ij mod p, and derives a key K.sup.ij from the value .alpha..sup.ij mod p. A transient key K.sub.p is generated at random and is used to encrypt the datagram to be sent by node I. The key K.sub.p is used for a configurable number of bytes, which is the maximum number of bytes the node will encrypt using K.sub.p. The key K.sub.p is then encrypted with key K.sub.ij.
Upon receipt of the encrypted datagram by the receiving node J, the node J obtains a DH certificate for node I (either from a local cache, from a directory service or directly from node J) and obtains the public value .alpha..sup.i mod p. Node J then computes the value of .alpha..sup.ij mod p and derives the key K.sub.ij. Node J utilizes the key K.sub.ij to decrypt the transient key K.sub.p, and using the decrypted transient key K.sub.p, node J decrypts the datagram packet, thereby resulting in the original data in unencrypted form.
One aspect of the SKIP scheme disclosed in my co-pending parent application is that K.sub.ij stays constant until the DH certificate changes. Depending on the environment, obtaining a new DH certificate may result in system performance degradation. As will be described, the present invention discloses a method and apparatus for generating other implicit keys from K.sub.ij, without the necessity of generating a new DH certificate or requiring any communication between node I and J to change keys. Using the teachings of the present invention, one secret may be used to generate literally millions of secret keys by stepping the context, where a context is defined by an implicit interchange key. In addition, the present invention provides methods and apparatus for achieving perfect forward secrecy in closed user groups, through the application of one-way functions to the implicit pair-wise secrets for each node. Moreover, the present invention discloses an improved application of SKIP for datagram multicasts.